Methods and apparatus for conducting electronic transactions

ABSTRACT

A system and method for conducting electronic commerce are disclosed. In various embodiments, the electronic transaction is a purchase transaction. A user is provided with an intelligent token, such as a smartcard containing a digital certificate. The intelligent token suitably authenticates with a server on a network that conducts all or portions of the transaction on behalf of the user. In various embodiments a wallet server interacts with a security server to provide enhanced reliability and confidence in the transaction. In various embodiments, the wallet server includes a toolbar. In various embodiments, the digital wallet pre-fills forms. Forms may be pre-filled using an auto-remember component.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. application Ser. No. 09/652,899filed on Aug. 31, 2000, now U.S. Pat. No. 7,343,351, the entiredisclosure of which is hereby incorporated by reference.

This application claims the benefit of: U.S. Provisional Application No.60/151,880, filed Aug. 31, 1999; U.S. Provisional Application No.60/164,668, filed Nov. 9, 1999; U.S. Provisional Application No.60/165,577, filed Nov. 15, 1999; and, U.S. Provisional Application No.60/201,635, filed May 3, 2000.

FIELD OF THE INVENTION

The invention relates generally to methods and apparatus for conductingnetwork transactions. More particularly, the invention relates tosystems for authenticating and conducting business over data networkssuch as the Internet.

BACKGROUND OF THE INVENTION

In recent years, many consumers have discovered the convenience andeconomy of purchasing goods and services electronically. A number ofchannels for electronic purchases (commonly called “e-purchases”) areavailable, including shop-at-home television networks, call-in responsesto television advertisements, and the like. Most recently, directpurchasing via the Internet has become extremely popular.

In a typical Internet transaction, a consumer generally identifies goodsand/or services for purchase by viewing an online advertisement such asa hypertext markup language (HTML) document provided via a World WideWeb (WWW) browser. Payment typically occurs via a charge card numberthat is provided via a secure channel such as a secure sockets layer(SSL) connection that is established between the consumer and themerchant. A charge card account number is typically a sixteen-digitcredit card number. Credit card numbers typically comply with astandardized format having four spaced sets of numbers, as representedby the number “0000 0000 0000 0000”. The first five to seven digits arereserved for processing purposes and identify the issuing bank, cardtype, etc. The last sixteenth digit is used as a sum check for thesixteen-digit number. The intermediary eight-to-ten digits are used touniquely identify the customer. The merchant then processes the chargecard number by, for example, receiving direct authorization from thecard issuer, then the merchant completes the transaction. The SSLstandard is described by, for example, “The SSL Protocol Version 3.0”dated Nov. 18, 1996 which is available online athttp://home.netscape.com/eng/ssl3/draft302.txt, the entire contents ofwhich are incorporated herein by reference.

Although millions of transactions take place every day via the Internet,conventional SSL transactions often exhibit a number of markeddisadvantages. Although SSL typically provides a secure end-to-endconnection that prevents unscrupulous third parties from eavesdropping(e.g., “sniffing”) or otherwise obtaining a purchaser's charge cardnumber, the protocol does not provide any means for ensuring that thecharge card number itself is valid, or that the person providing thecard number is legally authorized to do so. Because of the highincidence of fraud in Internet transactions, most charge card issuersconsider network transactions to be “Card Not Present” transactionssubject to a higher discount rate. Stated another way, because of theincreased risk from “Card Not Present” transactions, most charge cardissuers charge the merchant a higher rate for accepting card numbers viaelectronic means than would be charged if the card were physicallypresented to the merchant.

To improve the security deficiencies inherent in transporting chargecard numbers over unsecure networks, many have suggested the use of“smart cards”. Smart cards typically include an integrated circuit chiphaving a microprocessor and memory for storing data directly on thecard. The data can correspond to a cryptographic key, for example, or toan electronic purse that maintains an electronic value of currency. Manysmartcard schemes have been suggested in the prior art, but thesetypically exhibit a marked disadvantage in that they are non-standard.In other words, merchants typically must obtain new, proprietarysoftware for their Web storefronts to accept smartcard transactions.Moreover, the administration costs involved with assigning andmaintaining the cryptographic information associated with smart cardshave been excessive to date.

The Secure Electronic Transaction (SET) standard has been suggested toimprove the security of Internet transactions through the use of variouscryptographic techniques. Although SET does provide improved securityover standard SSL transactions, the administration involved with thevarious public and private keys required to conduct transactions haslimited SET's widespread acceptance. SET also requires special softwarefor those merchants wishing to support SET transactions.

Existing digital wallet technology, such as the digital wallettechnology provided by, for example, GlobeSet, Inc., 1250 Capital ofTexas Highway South, Building One, Suite 300, Austin, Tex., 78746,provides a means for customers to utilize transaction card products(e.g., credit, charge, debit, smart cards, account numbers and the like)to pay for products and services on-line. In general, digital walletsare tools which store personal information (name, address, chargecardnumber, credit card number, etc.) in order to facilitate electroniccommerce or other network interactions. The personal information can bestored on a general server or at a client location (PC or Smartcard) oron a hybrid of both a general server and a client server. The digitalwallet general server is comprised of a Web server and a database serverwhich centrally houses the customer's personal and credit cardinformation, shopping preferences and profiles of on-line merchants.

A digital wallet preferably performs functions such as single signon/one password, automatic form filling of check out pages, one- ortwo-click purchasing, personalization of Websites, on-line order anddelivery tracking, itemized electronic receipts, and customized offersand promotions based upon spending patterns and opt-ins. Moreparticularly, a one-click purchase activates the wallet and confirms thepurchase at the same time. A two-click check out first activates thewallet, then the second click confirms the purchase.

In use, the wallet bookmark is typically clicked by the customer and anSSL session is established with the Wallet server. A browser plug-in isexecuted and the customer supplies an ID/password or smartcard forauthentication in order to gain access to the wallet data. When shoppingat an on-line merchant, the appropriate wallet data is transferred fromthe wallet server to the merchant's Web server.

A new system of conducting electronic transactions is therefore desired.Such a system should provide improved security without additionaloverhead for customers and merchants. Moreover, such a new system shouldintegrate well with various Internet wallets and other services providedby various vendors.

SUMMARY OF THE INVENTION

In exemplary embodiments of the invention, a user is provided with anintelligent token, such as a smartcard, which can be used in conductingelectronic transactions. The intelligent token contains a digitalcertificate and suitably authenticates with a server on the network thatconducts all or portions of the transaction on behalf of the user. Theuser is a purchaser conducting a purchase transaction and the server isa wallet server that interacts with a security server to provideenhanced reliability and confidence in the transaction.

Electronic transactions, such as purchase transactions, are conductedby: receiving a transaction request from a user at a server; issuing achallenge to the user; receiving a response from the user based upon thechallenge; processing the response to verify a transaction instrument;assembling credentials which include at least one key for the electronictransaction; providing at least a portion of the credentials to theuser; receiving a second request from the user which includes theportion of the credentials; and validating the portion of thecredentials with the key to provide access to a transaction service.

Moreover, the present invention protects a network server from an attackby: restricting access to the network server to a portion of the networkserver for at least a selected protocol and scanning the portion of thenetwork server for particular characters associated with the selectedprotocol. The particular characters may be removed or replaced withbenign characters in order to reduce the security risk posed by theselected protocol. Preferably, the characters can be logged in order toform a security log. The security log can be reviewed to determinewhether the particular characters are hostile. Alternatively, a requestmay be denied.

The present invention also includes a transaction tool, such as adigital wallet used to perform purchase transactions, having anactivator and a toolbar. Preferably, the toolbar allows a user toperform a small download of the activator and the toolbar utilizes oneor more operating system controls, for example, a system tray icon. Thetransaction tool also includes a form fill component and an autoremember component for pre-filling forms with information previouslyprovided by the user.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features and advantages of the present invention arehereinafter described in the following detailed description of exemplaryembodiments to be read in conjunction with the accompanying drawingfigures, wherein like reference numerals are used to identify the sameor similar parts in the similar views, and:

FIGS. 1A-1C are block diagrams of various embodiments of an exemplarytransaction system;

FIG. 2 is a block diagram of an exemplary purchaser system;

FIG. 3 is a block diagram of an exemplary security system;

FIG. 4 is a block diagram of an exemplary wallet server;

FIGS. 5-8 are exemplary screen displays for an embodiment of a digitalwallet formed in accordance with the present invention;

FIG. 9 is a flow diagram of an exemplary process executed by anexemplary activator application;

FIG. 10 is a message sequence chart of an exemplary login sequence;

FIG. 11 is a message sequence chart of an exemplary purchase sequence;

FIG. 12A is a message sequence chart illustrating a potential securityproblem encountered with many scripting languages;

FIG. 12B is a message sequence chart of a correct communications flowwithout the security problems shown in FIG. 12A; and

FIG. 13 is a flow diagram of an exemplary process for reducing oreliminating undesired executable code.

DETAILED DESCRIPTION OF PREFERRED EXEMPLARY EMBODIMENTS

The present invention may be described herein in terms of functionalblock components and various processing steps. It should be appreciatedthat such functional blocks may be realized by any number of hardwareand/or software components configured to perform the specifiedfunctions. For example, the present invention may employ variousintegrated circuit (I.C.) components, e.g., memory elements, processingelements, logic elements, look-up tables, and the like, which may carryout a variety of functions under the control of one or moremicroprocessors or other control devices. Similarly, the softwareelements of the present invention may be implemented with anyprogramming or scripting language such as C, C++, Java, COBOL,assembler, PERL, or the like, with the various algorithms beingimplemented with any combination of data structures, objects, processes,routines or other programming elements. Further, it should be noted thatthe present invention may employ any number of conventional techniquesfor data transmission, signaling, data processing, network control, andthe like. Still further, the invention could be used to detect orprevent security issues with a scripting language, such as JavaScript,VBScript or the like.

It should be appreciated that the particular implementations shown anddescribed herein are illustrative of the invention and its best mode andare not intended to otherwise limit the scope of the present inventionin any way. Indeed, for the sake of brevity, conventional datanetworking, application development and other functional aspects of thesystems (and components of the individual operating components of thesystems) may not be described in detail herein. Furthermore, theconnecting lines shown in the various figures contained herein areintended to represent exemplary functional relationships and/or physicalcouplings between the various elements. It should be noted that manyalternative or additional functional relationships or physicalconnections may be present in a practical electronic transaction system.

To simplify the description of the exemplary embodiments, the inventionis frequently described as pertaining to a system of electronic commercerunning over the Internet. It will be appreciated, however, that manyapplications of the present invention could be formulated. For example,the system could be used to authenticate users of a computer system, orto activate a passcode system, or any other purpose. Similarly, theinvention could be used in conjunction with any type of personalcomputer, network computer, workstation, minicomputer, mainframe, or thelike running any operating system such as any version of Windows,Windows NT, Windows2000, Windows 98, Windows 95, MacOS, OS/2, BeOS,Linux, UNIX, or the like. Moreover, although the invention is frequentlydescribed herein as being implemented with TCP/IP communicationsprotocols, it will be readily understood that the invention could alsobe implemented using IPX, Appletalk, IP-6, NetBIOS, OSI or any number ofexisting or future protocols.

Furthermore, the customer and merchant may represent individual people,entities, or business while the bank may represent other types of cardissuing institutions, such as credit card companies, card sponsoringcompanies, or third party issuers under contract with financialinstitutions. The payment network includes existing proprietary networksthat presently accommodate transactions for credit cards, debit cards,and other types of financial/banking cards. The payment network is aclosed network that is assumed to be secure from eavesdroppers such asthe American Express® network, VisaNet® network or Veriphone®.

Additionally, other participants may be involved in some phases of thetransaction, such as an intermediary settlement institution, but theseparticipants are not shown. Each participant is equipped with acomputing system to facilitate transactions. The customer has a personalcomputer, the merchant has a computer/server, and the bank has a mainframe computer; however, any of the computers may be a mini-computer, aPC server, a network set of computers, laptops, notebooks, hand heldcomputers, set-top boxes, and the like.

Referring now to FIG. 1A, a transaction system 100 suitably includes atleast one user computer 110, a transaction authorizer computer 120, asecurity server 130 and an optional transaction tool server 140. Invarious embodiments described in detail herein, the transaction system100 is used in electronic commerce to conduct purchase transactions.Specifically, the user computer 110 is a purchaser or customer computer,the transaction authorizer computer 120 is a merchant computer and thetransaction tool server 140 is a digital wallet server. It will beappreciated that although the transaction system described herein is anelectronic commerce system, the present invention is equally applicableto various other electronic transaction systems.

The various computer systems and servers are interconnected asappropriate by a data network 102, which is any data network such as theInternet or another public data network. Other suitable networks 102include the public switched telephone network (PSTN), corporate oruniversity intranets, and the like. In various embodiments, such as theone shown in FIG. 1B, merchant computer 120 is electronically coupled tosecurity server 130 through a data connection 152 separate from network102. Similarly, various embodiments include a connection 150 separatefrom network 102 connecting the wallet server 140 and security server130. Exemplary data connections suitable for use with connections 150and 152 include telephone connections, ISDN connections, dedicated T1 orother data connections, wireless connections and the like. It will beappreciated that connection 150 and connection 152 may be identicalconnections, or each may be an entirely different form of connection invarious embodiments of the invention.

Various embodiments, such as the one shown in FIG. 1C, also include anapplication server 160. In various embodiments, databases (not shown)and/or profile servers (not shown) may be connected to applicationserver 160 and/or wallet server 140. Application server 160 can be usedto balance the workload. Spreading the workload between digital wallet140 and application server 160 can enhance efficiency and/or security.For example, application server 160 may perform some of thefunctionality performed by the Wallet server 140, such as databaseaccess. Because the application server 160 is not connected to the datanetwork 102, security may be enhanced by having database access beperformed by the application server 160 instead of the wallet server140.

While various exemplary embodiments have been illustrated in FIGS.1A-1C, it will be appreciated that other embodiments are possible. Forexample, an embodiment may include connection 150 but not connection 152or vice versa. Furthermore, components (e.g., customer 110, merchant120, security server 130, wallet server 140 and application server 160)may be individual computers or networked groups of computers acting withsimilar purpose to fulfill the functions described herein. Functionalityattributed to a single component may be distributed among one or moreindividual computers in order to fulfill the described functionality.For example, the wallet server 140, may in fact be a collection of Webservers, application servers, database servers and other types ofservers.

To conduct a transaction, customer 110 suitably establishes a connectionthrough network 102 with a merchant 120. When a purchase is to beconsummated, customer 110 accesses wallet server 140. The customer 110is then redirected to security server 130 to verify that a smartcard isin the customer's possession. The smartcard may include a digitalcertificate that uniquely identifies the card such that digitalcredentials relating to the transaction may be created, as describedbelow. In various embodiments, portions of the digital credentials arereturned to customer 110 and a portion is provided to wallet server 140via secure connection 150. Customer 110 may then use the digitalcredentials to authenticate to a wallet server 140, which may completethe electronic transaction as a proxy for customer 110. Wallet server140 may include functionality for completing purchase forms affiliatedwith merchant computer 120, for example. When merchant 120 receives asecure purchase instrument identifier from customer 110 or from walletserver 140, card authorization may take place over connection 152 aswith any ordinary charge card authorization. As described above, thecommunications can be performed using various protocols, for example SSLor VPN and the like. Because the smartcard contains identifyinginformation that is unique to the particular card and which can be madeknown to the network through electronic means, a purchase transactionconducted with the smartcard is more secure than a transaction conductedwith an ordinary charge or credit card. A lower discount rate may bejustified for the secure transaction, which may be processed by the cardissuer as a “Card Present” transaction. Additionally, if the transactionis a “Card Present” transaction, the risk of fraud may be transferredfrom the merchant to the card issuer.

With reference now to FIG. 2, an exemplary purchaser computer 110 (alsoreferred to as a client, customer, or user computer) is any computersystem that is capable of initiating an electronic purchase transactionon data network 102. In various embodiments, purchaser computer 110 is apersonal computer running any operating system 212 such as any versionof the Windows operating system available from the Microsoft Corporationof Redmond, Wash. or any version of the MacOS operating system availablefrom the Apple Corporation of Cupertino, Calif.

Purchaser computer 110 suitably includes hardware and/or software toallow a smartcard 202 to interface with a Web browser 216 throughoperating system 212. Web browser 216 is any program compatible withpurchaser computer 110 that communicates via network 102 such asNetscape Communicator available from the Netscape Corporation ofMountain View, Calif., Internet Explorer available from the MicrosoftCorporation of Redmond, Wash., or the AOL Browser available from theAmerica Online Corporation of Dulles, Va. In various embodiments,purchaser computer 110 includes a wallet client 214, which is anycomputer program configured to communicate with wallet server 140. Anexemplary wallet client 214 is the Microsoft Wallet, or the GlobesetWallet available from the Globeset Corporation of Austin, Tex., althoughany wallet program could be used.

Wallet client 214 and browser 216 may interact with smartcard 202 bysending data through operating system 212 to a card reader 204. Cardreader 204 is any reader device capable of transferring informationbetween wallet client 214 and smartcard 202. In various embodiments,card reader 204 is an ISO-7816 compatible reader such as the ModelGCR410 available from the Gemplus Corporation of Redwood City, Calif.,or any other suitable reader.

Smartcard 202 is any card that is capable of conducting electronictransactions, such as any smartcard that is compatible with thefollowing ISO standards, all incorporated herein by reference in theirentirety:

-   -   ISO/IEC 7816-1:1998 Identification cards—Integrated circuit(s)        cards with contacts—Part 1: Physical characteristics;    -   ISO/IEC 7816-2:1999 Information technology—Identification        cards—Integrated circuit(s) cards with contacts—Part 2:        Dimensions and location of the contacts;    -   ISO/IEC 7816-3: 1997 Information technology—identification        cards—Integrated circuit(s) cards with contacts—Part 3:        Electronic signals and transmission protocols;    -   ISO/IEC 7816-4:1995 Information technology—Identification        cards—Integrated circuit(s) cards with contacts—Part 4:        Interindustry commands for interchange;    -   ISO/IEC 7816-5:1994 Identification cards—Integrated circuit(s)        cards with contacts—Part 5: Numbering system and registration        procedure for application identifiers;    -   ISO/IEC 7816-6:1996 Identification cards—Integrated circuit(s)        cards with contacts—Part 6: Interindustry data elements; and

ISO/IEC 7816-7:1999 Identification cards—Integrated circuit(s) cardswith contacts—Part 7: Interindustry commands for Structured Card QueryLanguage (SCQL).

An exemplary smartcard 202 is a smartcard in accordance with the ISO7816 specifications including a model SLE66 chip available from theInfineon Corporation of Munich, Germany. The SLE66 chip includes amemory (such as a 16 k memory, although more or less memory could beused) and a processor running, for example, the Multos operating system(such as Multos v.4). In various embodiments smartcard 202 also includesan applet for storing and processing digital certificates or othercryptographic functions. For a basic introduction of cryptography, see“Applied Cryptography: Protocols, Algorthms, And Source Code In C,” byBruce Schneier and published by John Wiley & Sons (second edition,1996), which is hereby incorporated by reference. For example, an X.509Java applet could be included on smartcard 202 for processing an X.509certificate stored thereon. While the embodiments described hereinutilize a smartcard, it will be appreciated that other intelligenttokens, for example a global system for mobile communication (GSM)mobile phone, can be substituted for the smartcard in variousembodiments of the invention.

With reference now to FIG. 3, a security server 130 suitably includes aninterface to network 102, a security engine 304 and an authorizationserver 306 communicating with a database 310. Network interface 302 isany program that facilitates communications on network 102, such as aWeb server. In various embodiments, network interface 302 is based uponNetscape Enterprise Server, available from the Netscape Corporation ofMountain View, Calif. Network interface 302 received electronic messageson network 102 and routes them to security engine 304 or authorizationserver 306 as appropriate.

Security engine 304 and authorization server 306 may be separated by afirewall 308. Firewall 308 is any hardware or software control (such asa router access control) capable of restricting data flow between aninternal and an external network (not shown). In various embodiments,security engine 304 suitably resides outside the firewall to administerdata transfers between the security server 130 and the customer 110 orwallet server 140. Authorization server 306 retains valuableconfidential information such as database 310, which may contain across-reference of x.509 certificates stored on the various smartcards202 associated with the system 100, so it may be suitably maintained onan internal network for enhanced security. It will be understood thatthe functionality of security engine 304 and authorization server 306may be suitably combined or separated in various ways without departingfrom the scope of the present invention.

With reference now to FIG. 4, an exemplary wallet server 140 includes anetwork interface 402, an optional applet server 404 and a walletapplication 406. Network interface 402 is any program that facilitatescommunications on network 102, such as a Web server. In variousembodiments, network interface 402 is based upon Netscape EnterpriseServer, available from the Netscape Corporation of Mountain View, Calif.Optional applet server 404 provides server functionality for distributedprograms such as Java programs or ActiveX controls. An exemplary appletserver is the Java Applet Server available from Sun Microsystems ofMountain View, Calif. Applet server 404 and network interface 402provide support functionality for wallet application 406, which mayhandle login functionality, retrieve wallet data from wallet database408, and/or administer transactions as described herein. In variousembodiments of the invention, wallet server 140 may include theSERVERWALLET (a.k.a. NETWALLET) program available from the GlobesetCorporation of Austin, Tex.

Various embodiments of the invention may include an activatorapplication that suitably helps consumers with the wallet purchaseprocess. The activator application may present status information, forexample, or may actively launch the wallet client 214 (FIG. 2) whenappropriate. Additionally, the activator may maintain a local cache ofsites supported by the wallet.

The activator application program may be implemented as a conventionalcomputer application. In various embodiments, the activator applicationdisplays information as a system tray icon, as a “floating bitmap”, orin any other suitable manner. The graphical representations (e.g.,icons) may indicate status information such as “browsing at a supportedsite”, “browsing at a supported checkout page”, “browsing at a supportedpayment page”, “no browser windows open”, “browsing at an unsupportedpage”, and/or the like.

A floating bitmap may be implemented with any graphical file or format,for example, a graphics interchange format (GIF) file. Alternateembodiments present information in graphical, audio, visual,audiovisual, multimedia, animated or other formats. Moreover, GIF filesmay be replaced with LZW files, TIFF files, animated GIF files, JPEGfiles, MPEG files, or any other sort of graphical, audio or multimediaformat or file.

Preferably, the present invention is enhanced by providing a transactiontool with a window which includes controls which allow a user to moreeasily use the transaction tool. The transaction tool can be used forvarious electronic transactions. For example, purchase transactions,financial advisory transactions, insurance transactions,consumer-to-consumer transactions, such as barter transactions,transactions relating to offers and rewards, etc. The transaction tooldescribed in detail herein is a digital wallet used for electronicpurchase transactions. The digital wallet is enhanced by providing awindow with controls for the customer to more easily use the wallet.Preferably, the present invention includes a client-side implementationfor accessing digital wallet functionality (“activator”) and aserver-side toolbar, that allows the user to perform a small download ofthe activator and utilize one or more control elements of the OperatingSystem User Interface, for example, a Microsoft Windows system trayicon.

The activator is object code that runs on the user's computer andcontains routines for accessing the wallet server. The activator cangenerate events and the activator contains procedural logic which allowsfor communication with the wallet server in response to specific userand system actions or events. Preferably, the activator presents asingle graphical element, for example an icon which in a MicrosoftWindows embodiment appears as a Windows system tray icon, and whichenables the user to trigger the appearance of the wallet toolbar. Invarious embodiments, the wallet toolbar is, in effect, a special browserwindow that accesses the wallet server. The activator communicates withthe wallet server to automate the update of the activator object code,via a small download. Preferably, the user is queried for a confirmationprior to performing the activator download. In various embodiments, theactivator communicates with applications other than the wallet, forexample, offers of rewards.

The system provides the content of relevant options on each of its webpages, namely dynamic and contextual information that is specific toeach page viewed by the user. This is accomplished by the activatormonitoring URLs and potentially keying on pages so that the user can bemade aware of potential opportunities. For example, the activator cancheck to see if the user is viewing a merchant site and presentapplicable offers (e.g., discount on merchandise, etc.) to the user. Theactivator can also monitor versions of software on the user's system andinform the user of possible upgrade versions. In an exemplaryembodiment, the system is implemented on any network, such as a WAN,LAN, Internet, or on any personal computer, wireless electronic deviceor any other similar device. The system can be implemented on anoperating system, for example Microsoft Windows, Mac OS, Linux, WindowsCE, Palm OS, and others.

The activator, which is preferably implemented on the client side,allows the user 110 to be in constant or intermittent communication withthe digital wallet 140 issuer, for example, American Express, withouthaving to have intrusive windows taking up space on the user's display.As described above, this allows the wallet issuer to monitor and presentpossible items of interest to the user at appropriate times. Theconfigurable controls presented in the window allow the customer toquickly navigate to desired Web sites, and to immediately invoke desiredfunctionality such as digital shopping cart checkout. Preferably, theclient toolbar may be a discrete window that associates with the user'sbrowser window, and maintains a geometry that effectively renders it apart of the user's browser. Although when the user clicks on itscontrols, the window remains in its original state, namely the windowdirects the browser window to visit desired URLs and invoke specificactions (such as, use of the digital wallet). For example, afterselecting a digital wallet icon from the system tray, the digital wallettoolbar 502 is displayed as a discrete window that is associated withthe user's browser window 500 as shown in FIG. 5. In an alternativeembodiment, the client toolbar frames the existing wallet window,providing the additional controls as described above in an extension ofthe window area which is provided by an existing wallet. In anotheralternative embodiment, the area is divided in the user's standardbrowser window to create an area that can be used for wallet and theother controls described above.

The system preferably provides a convenient way for customers to notonly visit favorite URLs, but also to invoke specific functionality thatmight otherwise incur many steps, and which might change as thevendors'sites are continually updated. The system also preferablyprovides a simpler user experience by making the wallet and e-commercesites not only easy to use, but by making the wallet and client toolbareasy to find. When a user has many different windows open, finding thewallet window can be difficult and annoying, especially as differentbrowser windows seize GUI focus during the course of normal navigationand interaction with sites. As such, use of the system tray icon andserver side functionality provides a superior user experience. In apreferred embodiment, the present system works with any known in the artbrowser, such as Netscape Navigator.

While prior art systems may simply provide a customizable portal (e.g.,MyAmericanExpress.com) that allows a user to visit the page and thentraverse links from that page, an exemplary embodiment of the presentinvention suitably provides a window with controls that will stay on theusers' desktop as they navigate throughout the Web. Additionally, theclient toolbar provides a means of automating actions for the user,where these actions take place on third party e-commerce sites.Moreover, prior art systems may utilize a separate browser window torender the wallet controls, but the present invention utilizes astandard browser window which has been divided to provide an area forthe wallet to occupy. For example, in a preferred embodiment, a digitalwallet icon is available to the user as a system tray icon (not shown).Upon invocation of the digital wallet icon, the digital wallet toolbar502 is displayed as shown in FIG. 5. The digital wallet toolbar isunobtrusive while including controls which allow the user to utilize thedigital wallet. Preferably, the toolbar 502 is associated with thebrowser window 500.

As shown in FIG. 6, if the user selects a shopping directory button fromthe toolbar 502, the toolbar expands to a shopping directory page 602.The user can select a merchant from the list of merchants 604 displayedin the shopping directory page 602. Upon selecting a merchant from thelist of merchants 604, the digital wallet takes the user to the selectedmerchant site 702, such as is shown in FIG. 7. Preferably, when thedigital wallet takes a user to a merchant site 702, the toolbar 502returns to its normal size.

When the user makes a purchase from a merchant, for example by placingitems in a shopping cart and proceeding to checkout at the merchant'ssite, the checkout function is performed, in part, by the digital walletof the present invention. As shown in FIG. 8, when the user indicates adesired purchase at a merchant site 702, the checkout user interface 802of the digital wallet is displayed. For example, the checkout display802 appears in one side of the browser window, while the merchant window702 is still displayed on the opposite side of the browser window. Muchof the information that a user would normally have to enter at themerchant checkout (for example, name, address, e-mail address, creditcard information, etc.) is already known by the digital wallet and ispre-filled in the digital wallet checkout window 802. In a preferredembodiment, the user can edit the pre-filled information.

Preferably, the present system also includes methods and apparatus thatfacilitate the reliable population of HTML forms on Web sites. The endresult is that users can identify information content that they wish toprovide to sites in a general manner, independent of the actualappearance, labeling, and behaviors of various e-commerce Web sites.Preferably, the present invention includes an “auto-remember” componentthat allows a user to capture data that is entered and a “form fill”component which includes a powerful set of processes that results fromthe combination of several different models of sites and users.

The present invention collects information from users, storing itsecurely and reliably on a server, and then provides it to appropriateform fields under the user's direction. The system maintains mappings ofuser information to the various HTML form fields of sites that are ofinterest to the user. This information can then direct how HTML formsare to be filled (or pre-filled) for users who wish to interact withthose sites.

With respect to the “auto-remember” feature, prior art digital walletsmay implement a remember function, but it must be initiated by the user.With the present “auto-remember” feature, digital wallet users do notneed to click a button to remember the form they just filled out becausethe present system remembers the fields that the user is submitting on amerchant window. When a form is submitted (for example, by pressing a“Submit” button or a “Buy” button), the online wallet responds bydetermining if the window that triggered the form submission is amerchant window of interest. If so, the wallet suitably remembers thedata; otherwise, the wallet can disregard the occurrence of the formsubmission and continue to run as normal. The digital wallet controlsmay include a button labeled “remember”, or may also support anautomatic remember feature that is always active. In general, fieldsother than those that are automatically populated by the wallet can beremembered. In this context, remembering a field means that when a userenters data into a specific field, the value will be stored by thesystem. The wallet component will detect field values entered in thisway, and will securely transmit them to a server via the Internet. Whena user next goes to this page, the wallet, in addition to populating theform with fields that are retrieved from the wallet system, will alsopopulate the form with values that had previously been remembered. Whenprocessing the form (pre-fill), the wallet will securely retrieve fieldvalues from the server.

More particularly, with respect to the Internet Explorer browser, theinvention suitably implements an ActiveX control that attaches itself toa Web page such as, for example, the American Express Online Wallet. Ina preferred embodiment, the ActiveX control contains a method thatcaptures the browser events of all Internet Explorer browsers, so thatthe American Express Online Wallet can respond to these events ifnecessary by a JavaScript function loaded within the American ExpressOnline Wallet, thereby allowing the system to obtain the completelydownloaded document within an Internet Explorer browser. Specifically,this allows the system to capture the “Document Complete” event raisedby the Internet Explorer browser which specifies when a document hasfinished loading. When this event is captured, the ActiveX controlnotifies the American Express Online Wallet by calling a JavaScriptfunction loaded within the American Express Online Wallet. This functionresponds to this event by suitably communicating with the ActiveXcontrol to capture the “Form Submit” events for all forms on allInternet Explorer browsers.

When a user fills a form on a Web page and clicks the “Submit” (i.e.,any control, such as a button, that submits a form) button for thatpage, the American Express Online Wallet is notified by the ActiveXcontrol calling a JavaScript function loaded within the American ExpressOnline Wallet. The American Express Online Wallet then suitablydetermines if the document raising the “Submit” event is of interest bychecking the URL of the window that raised the event. If the event is tobe handled, the American Express Online Wallet must call a suitablefunction within the ActiveX control that obtains the document objectmodel (DOM) that raised the event. The DOM can then be traversed and theform values can be saved so that they can be sent to the server forstorage in memory. In a preferred embodiment, the ActiveX control mustproperly detach itself from capturing the browser events and form“Submit” events so that runtime errors are minimized.

With respect to the Netscape browser, because of Netscape'simplementation of events, the system captures the event from withinJavaScript alone. If the system successfully obtains the “UniversalBrowser Write” privilege (i.e. granted by the user), the system can thensuccessfully call a function that allows an external window to captureevents of another window. The system then can traverse the documentobject model for all frames of that window. When doing so, the systemnotifies each form of the window that the system wants to capture the“Submit” event. As such, when a user fills a form on the window that thesystem notified and clicks the “Submit” button (i.e., any control, suchas a button, that submits a form) for that page, the online wallet isnotified and suitably responds. One skilled in the art will appreciatethat the present invention may be implemented in any suitabletransaction system, including, but not limited to any suitable digitalwallet system.

With respect to the form fill function, the digital wallet, such as, forexample, the American Express Online Wallet, provides a form fillfunctionality to aid users in populating forms. Prior art systems, suchas the system provided by GlobeSet, Inc., typically use a Browser HelperObject (BHO). The BHO approach often includes disadvantages such as, forexample, the Internet Explorer 5.0 browser has a bug where it will onlyload the first BHO specified in the registry. This is a problem for anyapplication since it can't be sure whether its BHO is loaded or not.Moreover, a BHO is loaded for each instance of Internet Explorer suchthat multiple instances of a BHO could be running at any giventime—therefore eating up memory and slowing down navigation for allbrowsers versus only the one of interest.

The present invention preferably replaces the BHO solution by using thesame ActiveX control as specified in the “auto remember” feature. Byattaching an ActiveX control to the Online Wallet Web page, the systemsuitably obtains the document object model for any document loadedwithin any given Internet Explorer browser by using, for example, theShell Windows API. When a user clicks a “Fill Form” button on the OnlineWallet, the wallet can respond by first obtaining the document objectmodel through the ActiveX control. Next, the wallet can save the namesof the fields that make up forms and send them to a heuristic engine onthe server. The server will respond to this request by returning thevalues that should be used to fill these fields. The fields can then befilled using the same document object model obtained earlier. As such,the present invention reduces the problem of having to enter repetitivedata in forms at Web sites. In addition to saving effort on part ofcustomers, it increases accuracy of the entered data.

More particularly, the architecture of the present invention combines aserver-side model of each site (e.g., fields, pages, links, etc.),server-side model of user (e.g., profile), user generated model of site(e.g., macro recording, tagging, drag and drop) model of site manuallygenerated by system (e.g., to augment and validate the user generatedmodels), and heuristically generated model of site (e.g., inference ofsemantic information about fields, actions, etc.). The present systemcreates and stores several distinct types of models. The firstcharacterizes the site, for example, how do you check out, how do youadd something to a shopping cart, how do you search for a type ofproduct, how do you enter preferences (e.g., travel), etc. The secondmodel characterizes the user, for example, what are the things that auser can do and what are the profile attributes of a user. By combiningthese two models, the present system creates special processes that addgreat flexibility and power. The system maps from the model of what auser can do, to the model of the site, wherein the site models aregenerated by any known method. As such, the site model can be created bythe user, by the host, by the transaction card company (issuer) or evenby the site provider. In a preferred embodiment, ECML/XML can be used torepresent models for the site. In various embodiments site models can beexchanged with other systems.

For example, a user may routinely visit sites of different airlines andtravel services in order to purchase airline tickets. Each sitetypically has fields on different screens for collecting informationthat are relatively similar between the various sites. However, eachsite will use different HTML form fields that are placed on differentURLs, and which may also change over time. Even though the informationis very similar in nature across the different sites, there is presentlyno common mechanism to automate the process of populating fields foruser travel preferences (e.g., seating, meals, travel times, affinityrewards, etc.). Each site may-have its own profile of the user whichstores much of this information. However, the user would still need tocreate such a profile for each site independently, given the currentpractice.

The present invention includes heuristics based field recognition. Inthis approach, field labels are identified by their spatial proximity toform fields of interest. A combination of field labels and form fieldHTML attributes (most notably the “name” attribute of the HTML “input”,“select”, and “action” elements) will be used as input to a heuristicengine that contains a dictionary to aid the identification of desiredfields.

In another embodiment, the present invention includes user mediatedfield recognition. In this approach, the user willfully captures inputvia a “Remember” button or similar control that allows servers tocapture information about the sequence of actions the user executes.When the user does this, he or she can effectively “play back” theactions (similar to macro scripting employed in other software systems).As such, the user's actions can be fed into the heuristic engine andalso be fed directly into field mapping tables that are used by theprocesses of this engine.

In a preferred embodiment, the above two approaches may need some manualinteraction in order to completely create process maps and form fieldmaps that accurately depict the navigation and form field completionpossibilities that enable this invention. When necessary, human analystswill operate in a fashion similar to what occurs during user mediatedfield recognition, although they will provide far more information abouttheir navigation and form filling processes than would the typical user.In all cases, the information that is gathered is used to create aprocess map (or detailed site map) that depicts the sequence of actions(form fill, HTTP Post, HTTP Get, etc.) by which various activities canoccur. A field map will also be generated for each of the Web pages inthe process map, wherein the field map defines the precise names offields that can be used to automate form submission. State maps may alsobe required to track the states of users as they interact with the Website (the state of the user, such as logged on vs. not logged on, willmodify the results of specific actions on the site).

In a preferred embodiment, the process by which the user interacts caneither be fully automated (in which case the user merely conveys thedesire to perform a scripted action) or can be user mediated (in whichcase the invention can pre-fill form fields for the user, therebyaffording the user the opportunity to correct, change, or complete anyfields that require further data entry). In addition to the products andservices described above, the enabling technology in the form of theprocess and field maps can be leveraged for new products and services,such as enabling companies to automate the entry of form data for theirsite visitors. For example, if a company compiled process and field mapsfor the benefit of their own customers (by any of the means describedabove), then the company can also license this information, services,and products to third party customers. The sites for which these mapsexist may also use the present invention such that the sites benefit bydelivering a similar service to their customers who are not benefitingfrom the system. The underlying processes themselves will also rely on asystem which acquires this information and reformats it, for example, asXML and ECML. These standard representations would form the basis ofinformation exchange for the latter two products/services.

With reference now to FIG. 9, a process 900 implemented by an exemplaryactivator program suitably includes initializing the application (step902), monitoring the uniform resource locator (URL) as the user browsesor shops online (step 904), determining whether the user is browsing ata supported site (step 906), determining the type of supported site(steps 908 and 912) and responding appropriately at processing steps 910and 914 (respectively). Other features (such as coupons, special offers,monitoring, security and the like) may be implemented at step 916.

Initialization step 902 suitably involves opening the activatorapplication and initializing the application as appropriate. Theactivator application may be initialized in response to system startup,connection to a network (such as the internet or a LAN), orinitialization of a browser (such as Internet Explorer, available fromthe Microsoft Corporation of Redmond, Wash. or Netscape Explorer,available from the Netscape Corporation of Mountain View, Calif.). Invarious embodiments, the activator application may contact the walletserver 140 (FIG. 1), wallet application 406 (FIG. 4) or another serveron network 102. The activator application suitably contacts the remoteserver to obtain information such as a list of Web sites, domain names,or URLs that are supported by the wallet. This information may beobtained on a regular basis (e.g. daily, weekly, monthly, or at eachinitialization of the agent application) or when polled by the activatorapplication or the server. In various embodiments, the activatorapplication stores the list of supported URLs in a cache or file on alocal drive, or in memory on the client computer.

As the user browses the Internet or other data network 102, theactivator application suitably monitors the location of the user on thenetwork. One method of monitoring the user's browsing is to monitor theURL used by the user's browser. In such embodiments, the activatorapplication obtains the present URL from the users' browser (or from thesystem network interface, as appropriate) and compares (step 906) thepresent URL against the list of supported URLs obtained from the remoteserver in initialization step 902. These comparisons are shown inlogically separate steps 906, 908, 912 and 916 in FIG. 9, although thesesteps could be combined or separated in any fashion without departingfrom the ambit of the invention. For example, although FIG. 9 showsmultiple comparisons being executed, a single comparison of each presentURL against the list of supported URLs may be sufficient in certainembodiments.

If the present URL corresponds to a supported URL, the activatorapplication responds appropriately. For example, if the present URL is asupported checkout page (yes in step 908), the activator applicationexecutes a checkout process (step 910). The checkout process may includenotifying the user that the checkout page is supported through a pop-upmessage, or by displaying a particular icon in the system tray or in thefloating window. If the wallet client application 214 is not alreadyopen, the activator application may present a dialog box or other promptto the user indicating that the page is supported by the walletapplication 214. The prompt may also provide a button or other mechanismby which the user may open the wallet application 214.

If the present URL corresponds to a supported payment page (yes in step912), the activator application may provide payment instructions to thewallet application, or otherwise pass control to the wallet application(step 914). Messages sent between the activator application, the walletapplication, the browser, and the like may be sent by Open Desktopmessages, Object Linking and Embedding (OLE) messages, object routinecalls, OS calls, or the like.

In various embodiments, the functionality described above isaccomplished using cookies as described next. Cookies are used to detecta valid user context. If a valid user context is detected, the activatorwill either: launch a server application or launch a server toolbar thatenables the user to launch other applications. For example, a user'sbrowser might have several cookies that signify the ability to purchasevia either a private payment or a specific card product. The activatormay launch a toolbar that allows the user to select a desired paymentinstrument (e.g., from private payments or a card in the user's digitalwallet). It will be appreciated that the available applications are notall necessarily related to a purchase transaction. In variousembodiments, the context information is stored both on a server and incookies associated with the browser. For example, the cookies might actas a key by which the context information can be retrieved from theserver.

Other functionality (step 916) may also be incorporated into theactivator application. For example, security mechanisms (such as thosedescribed above and below), customer monitoring functions, coupons,special offers and the like could be implemented. In the case of couponsor special offers, the activator could sense the present URL ascorresponding to a particular product or Web page. When the user “surfs”or browses to the particular supported URL, the activator applicationnotices the match and presents the user (via a dialog window, or via thebrowser, or the like) with a special offer, such as an opportunity topurchase a particular product or to receive a special discount on apurchase. It will be appreciated that other functionality could beincorporated into the activator application without departing from theambit of the present application.

In various embodiments of the invention, wallet client 214 (FIG. 2) ispre-filled with information that is specific to the particularuser/customer. With reference to FIG. 1, a user may apply for a digitalwallet by contacting a Web server such as wallet server 140 on network102. The user completes a registration form (which may be generated withCGI scripts, for example) to apply for the wallet. Wallet server 140suitably receives demographic, account and other information (e.g.address, shipping address, name, credit card number, and the like) fromauthentication server 306 (FIG. 3) or another server on a privatenetwork. This information may be used to configure a wallet client 214(FIG. 2) that is unique to the particular user. One method ofconfiguring the wallet client 214 is to create a configuration file thatis associated with client 214 and that is read by client 214 to obtainwallet information as described above.

Preferably, the registration information also includes card readerinformation which includes whether the card reader port should be serialor USB port. If the wallet application is approved, a card reader may beshipped or otherwise provided to the user, and a special code (such as acryptographic key, or a password, or any other sort of electronic orprinted code) is also provided to the user. The user then registers foronline wallet service by electronically contacting wallet server 140 andauthenticating to the server with the card and/or with the special code.After providing the special code, the user receives a speciallyconfigured copy of the wallet software, which may be installed oncustomer computer 110, as appropriate. The wallet pre-fill procedure maybe used with any credit card or charge card by simply associating aversion of the wallet program with a special code. Configurationinformation for a particular user is associated with a code that isprovided to the user, who may later present the special code toauthenticate him/herself with wallet server 140 to obtain a copy of thewallet that has already been pre-configured with data specific to theparticular user.

With primary reference now to FIGS. 1 and 10, customer 110 suitablyinitiates a transaction by logging in to wallet server 140 usingsmartcard 202. To log in to the wallet server 140, customer 110 firstmay connect to the security server 130 via browser 216. The user selectsa particular uniform resource locator (URL) for the login page through abookmark, an internet shortcut, a hyperlink, or any other suitabletechnique. Security server 130 may then return a login page via networkinterface 302. In various embodiments, a form entry and submissionbutton for user/password login and a hypertext link for smartcard loginare provided as part of the login page. The user selects smartcardlogin, and browser 216 suitably responds by forwarding log on requestmessage 1002 (FIG. 10). Security server 130 receives logon request 1002and initiates the smartcard logon process as appropriate. In variousembodiments, security server 130 formats a cryptographic challenge byauthorization server 306 or security engine 304 in response to logonrequest message 1002. Cryptographic challenge 1004 is any sort ofchallenge message that prevents replay attacks (e.g., fraudulentmessages created by re-sending previously sent authentication packets),such as a challenge that is based upon random data and is designed tosolicit a response from the X.509 application stored on smartcard 202.The challenge is then suitably provided to customer 110 via network 102as challenge message 1004.

Upon receipt of challenge message 1004, browser 216 suitably passesmessage 1004 to wallet client 214 for processing with smartcard 202. Ifwallet client 214 is not running, browser 216 may automatically open theprogram. Wallet client 214 then prepares the signature response, asappropriate. For example, wallet client 214 may extract the serverchallenge information, format a new client challenge (i.e., a secondcryptographic challenge for smartcard 202), combine both challenges intoa dual challenge, and compute a hash of the dual challenge for lateruse, for example, in a Public-Key Cryptography System 1 (PKCS1)cryptographic block. The hash may be computed according to any algorithmsuch as MD3 or MD4, for example, and is suitably used to guarantee thecompleteness and accuracy of the data in the dual challenge block. Itwill be understood that PKCS1 is a public key cryptography standarddefining mechanisms for encrypting and signing data using RSA public-keycryptosystems. The PKCS standard is fully defined in PKCS #1: RSACryptography Specifications Version 2.0 dated September 1998 (availableonline from http://www.rsa.com/rsalabs/pubs/PKCS/html/pkcs-1.html) andincorporated herein by referenced in its entirety.

The PKCS1 block is suitably provided to smartcard 202 via reader 204 forprocessing (step 1006 in FIG. 10). In various embodiments, card reader204 interacts with customer computer 110 to prompt the user for apersonal identifier, for example a personal identification number (PIN)or other unique identifier, to access the card. In a preferredembodiment, a PIN is stored on smartcard 202. Alternatively, a PIN orother personal identifier may be stored elsewhere on the system, forexample, on the reader 204 or the customer computer 110. The usersuitably enters the personal identifier as appropriate to unlocksmartcard 202, which receives the dual challenge block from walletclient 214 and digitally signs the block as appropriate. In variousembodiments, smartcard 202 contains a private key that is used tocompute a digital signature of the block. The signed block is thenreturned to wallet client 214, as appropriate. In various embodiments,smartcard 202 also provides a certificate (such as an X.509 certificatethat corresponds to the private key used to compute the digitalsignature.

After receiving the signature and certificate from smartcard 202, walletclient 214 suitably creates an appropriate response message 1008 to besent to security server 130. Although response message 1008 may be inany format, various embodiments format response message 1008 as a PKCS7message as defined in PKCS #7: Cryptographic Message Syntax Standard, AnRSA Laboratories Technical Note, Version 1.5, Revised Nov. 1, 1993,available online from ftp://ftp.rsa.com/pub/pkcs/doc/pkcs-7.doc andincorporated herein by reference in its entirety.

After receiving response message 1008, security server 130 processes themessage as appropriate (step 1010 in FIG. 10). In various embodiments,response message 1008 is routed to authorization server 306, whichverifies the certificate and signature provided by smartcard 202. Uponsuccessful verification of the certification and validation of thesignature, in various embodiments a security token may be generated andreturned to the customer 110 or smartcard 202.

In this manner, subsequent presentation of the Security token provides ameans for the user to establish identity and securely interact with thewallet server. In various embodiments, authorization server 306 may alsocreate an additional security token that identifies the user. In variousembodiments this token may consist of multiple portions which can thenmap to an appropriate digital certificate, smart card, or other data,possibly utilizing data in database 310. In various embodiments, theadditional security token and/or portions therein may be provided tocustomer 110 in conjunction with redirect message 1012. In variousembodiments, the additional security token may be provided to thecustomer or maintained on authorization server 306.

Upon receipt of redirect message 1012, customer 110 suitably contactswallet server 140 to request a connection. In various embodiments“Request connect” message 1014 suitably includes the security token andpossibly the additional security token in entirety or part as part ofredirect message 1012. Wallet server 140 queries the security server 130using some combination of security tokens in whole or part to obtainidentification of customer 110. The query 1016 and response 1018 aresuitably transmitted across network 150, which in some embodiments ismaintained separate from network 102 to enhance the security of thesystem 100. An alternative embodiment employs network 102 that in someembodiments affords enhanced security by Virtual Private Network, SSLprotocol, use of shared secrets, and/or other cryptographic means in thereturn credentials 1018 are in order, wallet server 140 retrieves theattributes corresponding to customer 110 from wallet database 408 andnotifies customer 110 of a successful login via message 1020. It will beappreciated that alternate embodiments of a logon sequence are possible.It will also be appreciated that any sort of encryption schemes, messageformats and the like could be used to implement a login sequence 1000.

Referring now to FIG. 11, an exemplary authentication flow 1100 suitablefor use during a purchase transaction begins with a customer 110 placinga request 1102 with wallet server 140 for an event (such as a purchase)for which authentication is required. Wallet server 140 suitablyrecognizes the event and submits a request message 1104 to the securityserver 130, for example, via communication channel 150, to format achallenge message. Authentication server 306 (or some other component ofsecurity server 130, as appropriate) then formats a challenge message1106 (which may include random data) and provides the challenge message1106 to wallet server 140, for example, via connection 150. Walletserver 140 receives the challenge message 1106 and forwards thechallenge data to browser 216 as signature request message 1108. Browser216 opens wallet client 214, if necessary, and forwards signaturerequest message 1108. As described above, wallet client 214 formats asignature request block such as a PKCS1 block including a serverchallenge, a client challenge and a hash. The resultant signaturerequest block is provided to smartcard 202 via reader 204. Smartcard 202suitably signs the block and provides a copy of its X.509 certificate,as appropriate.

The signed block may then be returned to wallet client 214, whichsuitably formats an appropriate signature response message 1110 (such asa PKCS7 message) and sends it to wallet server 140. Wallet server 140then formulates validity check message 1112, which includes data fromsignature response message 1110 and the security token associated withcustomer 110 during the logon process (such as the exemplary logonprocess shown in FIG. 10). In alternate embodiments, the security tokenprovided is received from customer 110 as part of signature responsemessage 1110. Validity check message 1112 is sent to security server 130via connection 150, as appropriate. Security server 130 may then routevalidity check message to authorization server 306, as appropriate,which may check the signature and retrieve the appropriate securitytoken from database 310 (step 1114 in FIG. 11). The security tokenand/or optional unique identification code retrieved from the databaseis then compared to the security token or ID received from the walletserver 140. If the two objects (e.g., security tokens or IDs) match, itcan be deduced that the card presently used by customer 110 is the samecard used by customer 110 at the time of log on. An appropriate approveor reject message 1116 is then sent from security server 130 to walletserver 140, and the transaction is allowed to proceed.

In various embodiments, wallet server 140 acts as a proxy for customer110 during transactions. For example, wallet server 140 may completepurchase forms including shipping address, card number, and the like onbehalf of purchaser 110. Merchant 120 may then authorize the purchasetransaction as a standard charge card transaction using conventionalhardware and software. It will be realized, however, that the addedsecurity provided by the systems disclosed herein will allow addedconfidence in the identity of the purchaser, thus justifying a lowerdiscount rate for the transaction.

Various embodiments of the invention incorporate an added protectionagainst security breaches. Because many server-side functionsincorporated into security server 130 or wallet server 140, for example,may incorporate various scripting components written in scriptinglanguages such as JavaScript (as defined by Sun Microsystems of MountainView, Calif.) or VBscript (as defined by the Microsoft Corporation ofRedmond, Wash.), servers coupled to network 102 may provide variousfunctionality to the multiple clients 110 through such server languagesby providing scripts (or code) from the server to the client. The codeis interpreted, compiled or otherwise executed by client computer 110.In embodiments incorporating JavaScript, for example, scripts areinterpreted and executed by a browser program (e.g. Internet Explorer,Netscape Communicator or the like) running on client computer 110. Otherembodiments include other non-PC browsers, for example WirelessApplication Protocol (WAP) phones that support Wireless MarkupLanguage(WML) scripts. The various scripting languages may containinstructions, objects or other data mechanisms for accessing files onthe user's hard drive, for example, or for otherwise manipulating dataon the user's computer. To prevent unauthorized sources from providingexecutable code to the user, the scripting languages may include amechanism for allowing the user to approve scripts provided only fromtrusted sources. For example, a user conducting an electronictransaction as described above may allow scripts provided from thewallet server to execute, but may prevent other scripts provided byother sources from executing on the user's computer.

A potential security problem encountered with many scripting languagesis shown in FIG. 12A. An unscrupulous “cracker” may create a Web site1204 that is designed to perform malicious activities against users of alegitimate Web server 1206. The cracker site 1204 (shown as the“criminal site” in the figure) may, for example, provide a portion ofcode, such as a script, to the user. The criminal site 1204 may alsoinduce the user's Web browser 216 to request a particular uniformresource locator (URL) at the legitimate server 1206 (such as the walletserver 140, or any other server on network 102). The referenced URL maybe deliberately crafted such that the legitimate server 1206, returns,for example, an error message or other response to the client browser216. In various embodiments, the response from the legitimate server1206 may automatically include a portion or variation of the requestfrom the user's Web browser 216. If that response includes JavaScript,VBscript or other code generated as a result of the malicious intent ofthe criminal site 1204, then the code may be executed on the user'scomputer. This example illustrates one of many techniques in which a“cracker” may induce a legitimate Web server 1206 to send maliciousinstructions to a user's Web browser 216. Because the various coding andscripting languages contain instructions for accessing the hostcomputer's file system, registry, or the like, it will be understoodthat the unauthorized execution of such code is highly undesirable.Nevertheless, the technique shown in FIG. 12A may allow scripting orother code from a criminal site 1204 to be provided to a user'scomputer. Because the users' computer thinks that the scripting camefrom a trusted source (i.e. the wallet server), the client's computermay execute the code from the criminal site, thus creating the potentialfor damage, unauthorized data dissemination or destruction, or the like.FIG. 12B illustrates the correct communication flow that should occur(as opposed to the criminal attack flow shown in FIG. 12A).

To prevent this potential security problem, various embodiments of theinvention suitably include techniques for reducing or eliminatingundesired executable code. With reference to FIG. 13, a process 1300 forreducing the likelihood of script attacks suitably includes the steps oflimiting the portions of the server having elevated permission (step1302), removing dangerous characters within that portion of the site(step 1304), encoding certain characters where necessary (step 1306),and optionally logging data that is provided to users from the relevantportion of the Web site (step 1308).

With regard to step 1302, a Web site typically includes various pages,each page having a unique URL. Users of the site may place elevatedtrust in certain servers (such as those corresponding to financialinstitutions or merchants who are reputable). By restricting theelevated trust to only a portion of the Web site (e.g., a limited subsetof URLs corresponding to the trusted Web site), the level of trustafforded to the rest of the site is suitably reduced and security isenhanced. Trust may be restricted to a limited portion of the site byconfiguring the user's Web browser to trust only a portion of the site,for example. The user's Web browser may be configured manually or by aconfiguration script provided by a wallet server, for example. When onlycertain pages (e.g. a portion) of the Web site are enabled withheightened trust, any scripts included in references to other pages willeither not be executed or will not be executed with heightened trust.

In addition to (or as an alternative to) configuring the client suchthat the client only “trusts” a certain portion of the server, theserver may be configured to improve the security of the client-serverinteraction. For example, scripting with heightened trust may bedisallowed on most of the server to improve security. Moreover, dataprovided to the trusted portion of the Web site may be monitored and/ormodified before being returned to the user (steps 1304 and 1306). Mostscripting languages require certain characters for formatting commands.For example, the JavaScript language is frequently encoded with scriptinstructions placed between angle brackets (“<” and “>”). Hence, theangle brackets may be removed from any content that will be returned bya trusted portion of the Web site. If a Web page provided from a trustedportion of the Web site were to include a “criminal” JavaScript programattempting to use angle brackets, for example, the script instructionswould not execute on the user's computer because the script instructionswould not be properly formatted after removing the angle brackets.Alternatively, certain “dangerous” characters (such as the anglebrackets in JavaScript) may be returned in an alternate format, forexample, in “ampersand notation” with an ampersand (“&”) and an AmericanStandard Code for Information Interchange (ASCII) value for theparticular character, or by replacing the “dangerous” character with asafe character, such as the “space” character (step 1306). It will beappreciated that any characters could be eliminated or encoded invarious embodiments of the invention depending upon the particularlanguages, scripting environments, and the like that may be utilized.

In various embodiments, an optional step 1308 suitably includesmaintaining a data log of information provided by the various portionsof the Web site. All content in which characters have been encoded orremoved can be logged so that the log can be reviewed to determine ifthe Web site is being used to compromise a network client. For example,all content provided from the Web page, all content provided from withinthe trusted portion, all content having scripting/programming content,all content from outside the trusted portion, or any other part of theWeb site content could be logged into one or more datafiles. Thedatafiles may be suitably searched or otherwise consulted to determinewhether there have been attempts to provide unauthorized content tousers by the server.

In some cases internal machines can be attacked by a “criminal” sitesending content that contains script to a network server that can logthe content in audit trail (e.g., log) files. Given that a browser mayhave been configured a heightened trust for files residing on theserver, in various embodiments, when a user reviews the audit trailfiles of Web and other e-commerce servers by using the browser, a scriptmay be executed on the network client with the trust level of thenetwork server that delivered the audit trail records (e.g., with aheightened trust level). Execution of this script may cause an attackwhich may occur long after the script was sent to the network server.This attack is preventable using the same methods and proceduresdescribed above to prevent cross site scripting, such as the “criminal”attacks described above. A filter, such as the one described in FIG. 13,running on a network server, such as a Web server, or running on anetwork client, such as a PC browser, can filter for script controlcharacters and encode the characters, reject the characters or rejectthe entire record.

The corresponding structures, materials, acts and equivalents of allelements in the claims below are intended to include any structure,material or acts for performing the functions in combination with otherclaimed elements as specifically claimed. The scope of the inventionshould be determined by the allowed claims and their legal equivalents,rather than by the examples given above.

1. A method comprising: receiving, by a first server comprising aprocessor and a non-transitory, tangible memory, a transaction requestfrom a user for a transaction at a merchant server; receiving, by saidfirst server, a third party request comprising executable commands beingassociated with a selected programming language; scanning said thirdparty request to find executable commands at least one of editing andremoving at least a portion of said executable commands, wherein said atleast one of editing and removing comprises at least one of renderingsaid executable commands unexecutable by a network client by removing acharacter of said executable commands; and rendering said executablecommands unexecutable by said network client by replacing particularcharacters within said executable commands; issuing a challenge to asecond server comprising a processor and a non-transitory, tangiblememory and forwarding the challenge from said second server to the user,wherein said challenge is passed to an intelligent token for processingsaid challenge, wherein said intelligent token generates a response tosaid challenge; receiving said response by said second server from theuser based upon said challenge; processing said response by said secondserver and verifying the intelligent token; assembling credentials forthe transaction at said first server, said credentials comprising atleast one key; providing at least a portion of said assembledcredentials to said user; receiving, by said second server, a secondrequest from said user, said second request including said portion ofsaid assembled credentials provided to said user; and validating, bysaid second server, said portion of said assembled credentials providedto said user with said key of said assembled credentials providingaccess to a transaction service.
 2. The method of claim 1, furthercomprising rejecting a request when said request contains saidexecutable commands having a hostile character.
 3. The method of claim1, further comprising logging said executable commands to form asecurity log.
 4. The method of claim 1, wherein said executable commandscause an unwanted action when executed.
 5. The method of claim 1,wherein said executable commands are malicious.
 6. The method of claim1, further comprising receiving a request for a connection at saidnetwork server from said network client.
 7. The method of claim 1wherein said programming language comprises javascript.
 8. The methodclaim 1, wherein said rendering said executable commands unexecutable bysaid network client by replacing particular characters within saidexecutable commands comprises converting a script format character toanother character, wherein said script format character identifies ablock of code.
 9. The method claim 1, wherein said rendering saidexecutable commands unexecutable by said network client by removing acharacter of said executable commands comprises removing a script formatcharacter, wherein said script format character identifies a block ofcode.
 10. The method of claim 3, further comprising reviewing saidsecurity log to determine whether said executable commands are hostile.11. The method of claim 6, further comprising verifying that a responsefrom said network server to said network client is void of saidexecutable commands.
 12. The method of claim 11, further comprisingproviding said response from said network server to said network client.